Network application apparatus

ABSTRACT

An apparatus and method to distribute applications and services in and throughout a network. The apparatus includes the functionality of a switch with the ability to apply applications and services to received data according to respective subscriber profiles. Front-end processors, or Network Processor Modules (NPMs), receive and recognize data flows from subscribers, extract profile information for the respective subscribers, utilize flow scheduling techniques to forward the data to applications processors, or Flow Processor Modules (FPMs). The FPMs utilize resident applications to process data received from the NPMS. A Control Processor Module (CPM) facilitates applications processing and maintains connections to the NPMs, FPMs, local and remote storage devices, and a Management Server (MS) module that can monitor the health and maintenance of the various modules. In an embodiment, the MS can download and otherwise control applications on the FPMs that execute the Linux operating system to provide an open architecture for downloading, executing, modifying, and otherwise managing applications.

CLAIM OF PRIORITY

[0001] This application claims priority to U.S. Provisional ApplicationNo. 60/235,281, entitled “Optical Application Switch Architecture withLoad Balancing Method”, and filed on Sep. 25, 2000, naming MikeAckerman, Stephen Justus, Throop Wilder, Kurt Reiss, Rich Collins, DerekKeefe, Bill Terrell, Joe Kroll, Eugene Korsunky, A. J. Beaverson,Avikudy Srikanth, Luc Parisean, Vitaly Dvorkian, Hung Trinh, and ShermanDmirty as inventors, the contents of which are herein incorporated byreference.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0002] This patent application is co-pending with a related patentapplication entitled Second Title by the same inventor(s) as this patentapplication.

BACKGROUND OF THE INVENTION

[0003] 1. Field of the Invention

[0004] The present invention relates generally to network devices, andmore particularly to improved devices and methods for deliveringservices and applications to network users.

[0005] 2. Description of the Prior Art

[0006] Increasing numbers of businesses, services, and other providersare expanding their offerings on the internet. The basic structure forproviding network services, however, is constrained with data transportdependencies. Unfortunately, a given service is often provided from asingle network location that is deemed the central location for theservice. This location may be identified by a destination internetprotocol (IP) address that corresponds to a server that is capable ofreceiving and processing the request. Prior art systems attempt to easethe demand for a given service by providing a multiplicity of servers atthe destination IP address, wherein the servers are managed by acontent-aware flow switch. The content-aware flow switch interceptsrequests for the application or service and preferably initiates a flowwith a server that maintains a comparatively low processing load.Although the prior art systems may attempt to increase the computationalpower at the particular destination IP address by distributing therequests at the IP address, data transport dependencies remain inherentin the network structure. The content-aware flow switch is thereforelimited by the rate at which requests arrive.

[0007] There is currently not a scalable system or method to alleviatethe data transport dependencies characteristic of large computernetworks such as the internet.

[0008] What is needed is a system and method for delivering applicationsand services to computer network users that is scalable to increasednetwork demands for applications and services, and thereby mitigatesdata transport dependencies typical of the present internetarchitecture.

SUMMARY OF THE INVENTION

[0009] The methods and systems of this invention provide a scalablearchitecture and method to facilitate the allocation of network servicesand applications by distributing the services and applicationsthroughout a network such as the internet. In an embodiment, the methodsand systems can be implemented using a switch architecture that caninclude applications processors that can execute applications andservices according to subscriber profiles. In one embodiment, theapplications processors utilize the LINUX operating system to provide anopen architecture for downloading, modifying, and otherwise managingapplications. The switch architecture can also include a front-endprocessor that interfaces to the network and the application processors,recognizes data flows from subscribers, and distributes the data flowsfrom the network to the applications processors for applicationsprocessing according to subscriber profiles. In an embodiment, thefront-end processors can recognize data flows from non-subscribers, andswitch such data flows to an appropriate destination in accordance withstandard network switches. In one embodiment, the front-end processorsinclude flow schedules for distributing subscriber flows amongst andbetween several applications processors based on existing flowprocessing requirements, including for example, policy.

[0010] In an embodiment, the applications processors and front-endprocessors can be connected to a control processor that can furtheraccess local and remote storage devices that include subscriber profileinformation and applications data that can be transferred to thefront-end or applications processors. The control processor can furtheraggregate health and maintenance information from the applications andfront-end processors, and provide a communications path for distributinghealth, maintenance, and/or control information between a managementprocessor and the front-end and applications processors.

[0011] In an embodiment, the methods and systems disclosed herein caninclude the functionality of a switch that can be located at thefront-end of a network of servers, while in another embodiment, thenetwork apparatus may be between routers that connect networks.

[0012] In one embodiment, the front-end processors can be NetworkProcessor Modules (NPMs), while the at least one applications processorcan be Flow Processor Modules (FPMs). The control processor can includea Control Processor Module (CPM). In this embodiment, the NPMs caninterface to a communications system network such as the internet,receive and classify flows, and distribute flows to the FPMs accordingto a flow schedule that can be based upon FPM utilization. The at leastone FPM can host applications and network services that process datafrom individual flows using one or more processors resident on the FPMs.The CPM can coordinate the different components of the switch, includingthe NPMs and FPMs, allow management access to the switch, and supportaccess to local storage devices. Local storage devices can store images,configuration files, and databases that may be utilized whenapplications execute on the FPMs.

[0013] In an embodiment, the methods and systems of the invention canalso allow the CPM to access a remote storage device that can storeapplications and databases. An interface to at least one managementserver (MS) module can receive and aggregate health and statusinformation from the switch modules (e.g., NPMs, FPMs, CPMs) through theCPMs. In one embodiment, the MS module can reside on a separate hostmachine. In another embodiment, the management server modulefunctionality can be incorporated in a processor resident on a CPM.

[0014] In one embodiment, an internal switched Ethernet control busconnects the internal components of the switch and facilitatesmanagement and control operations. The internal switched Ethernetcontrol bus can be separate from a switched data path that can be usedfor internal packet forwarding.

[0015] In an embodiment of the invention, the NPMs, the CPMs, the FPMs,and the interconnections between the NPMs, CPMs, and FPMs, can beimplemented with selected redundancy to enhance the fault tolerantoperations and hence system reliability. For example, in one embodimentwherein two NPMs, ten FPMs, and two CPMs can be implemented, the twoNPMs can operate in redundant or complementary configurations.Additionally, the two CPMs can operate in a redundant configuration withthe first CPM operational and the second CPM serving as a backup. TheNPMs and CPMs can be controlled via the Management Server module thatcan determine whether a particular NPM or CPM may be malfunctioning,etc. In this same example, up to two FPMs can be identified as reserveFPMs to assist in ensuring that, in case of an FPM failure, eight FPMscan function at a given time, although those with ordinary skill in theart will recognize that such an example is provided for illustration,and the number of reserve or functioning FPMs can vary depending uponsystem requirements, etc. The illustrated FPMs can be configured to hostone or more applications, and some applications can be resident onmultiple FPMs to allow efficient servicing for more heavily demandedapplications. Data flows entering the switch in this configuration canbe received from an originator, processed by a NPM and returned to theoriginator, processed by a NPM and forwarded to a destination, forwardedby a NPM to a flow processor and returned via the NPM to the originator,or forwarded by a NPM to a flow processor and forwarded by the NPM to adestination. In an embodiment wherein two or more NPMs are configuredfor complementary operation, a flow received by a first NPM may beprocessed, forwarded to a second NPM, and forwarded by the second NPM toa destination. In another embodiment, the first NPM can receive a flowand immediately forward the flow to the second NPM for processing andforwarding to a destination. In complementary NPM embodiments, FPMprocessing can also be included within the described data paths.

[0016] In an embodiment, the well-known Linux operating system can beinstalled on the FPM and CPM processors, thereby providing an openarchitecture that allows installation and modification of, for example,applications residing on the FPMs. In an embodiment, the NPMs canexecute the well-known VxWorks operating system on a MIPS processor anda small executable on a network processor.

[0017] Other objects and advantages of the invention will become obvioushereinafter in the specification and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] A more complete understanding of the invention and many of theattendant advantages thereto will be readily appreciated as the samebecomes better understood by reference to the following detaileddescription when considered in conjunction with the accompanyingdrawings, wherein like reference numerals refer to like parts andwherein:

[0019]FIG. 1A shows four example modes of operation for the networkapparatus disclosed herein;

[0020]FIG. 1B shows an illustration of an edge-based firewall embodimentfor the systems and methods disclosed herein;

[0021]FIG. 2 is a block diagram of an apparatus according to theinvention;

[0022]FIG. 3A is a block diagram of the basic data flow through theapparatus of FIG. 2;

[0023]FIG. 3B is a block diagram of a storage area network embodimentfor the apparatus of FIG. 2;

[0024]FIG. 4 is a diagram of a redundant architecture for a systemaccording to FIG. 2;

[0025]FIG. 5 is a schematic of a Network Processor Module (NPM) for thesystems of FIGS. 2 and 4;

[0026]FIGS. 6A, 6B, 6C, 6D, 6E, and 6F detail embodiments of a networkinterface for the NPM of FIG. 5;

[0027]FIG. 7 illustrates a crossover on the backplane within theillustrated NPM of FIG. 5;

[0028]FIG. 8 is an architectural block diagram of a Flow ProcessorModule (FPM) for the embodiments of FIGS. 2 and 4; and,

[0029]FIG. 9 is a block diagram of an illustrative Control ProcessorModule (CPM) architecture according to the representative systems ofFIGS. 2 and 4.

DESCRIPTION OF ILLUSTRATED EMBODIMENTS

[0030] To provide an overall understanding of the invention, certainillustrative embodiments will now be described; however, it will beunderstood by one of ordinary skill in the art that the systems andmethods described herein can be adapted and modified to provide systemsand methods for other suitable applications and that other additions andmodifications can be made to the invention without departing from thescope hereof.

[0031] For the purposes of the disclosure herein, an application can beunderstood to be a data processing element that can be implemented inhardware, software, or a combination thereof, wherein the dataprocessing element can include a number of states that can be zero orany positive integer.

[0032] For the purposes of the methods and systems described herein, aprocessor can be understood to be any element or component that iscapable of executing instructions, including but not limited to aCentral Processing Unit (CPU).

[0033] The invention disclosed herein includes systems and methodsrelated to a network apparatus that can be connected in and throughout anetwork, such as the internet, to make available applications andservices throughout the network, to data flows from subscriber users.Although the apparatus can perform the functions normally attributed toa switch as understood by one of ordinary skill in the art, andsimilarly, the apparatus can be connected in and throughout the networkas a switch as understood by one of ordinary skill in the art, theapparatus additionally allows the distribution of applicationsthroughout the network by providing technical intelligence to recognizedata flows received at the switch, recall a profile based on the dataflow, apply a policy to the data flow, and cause the data flow to beprocessed by applications or services according to the profile and/orpolicy, before forwarding the data flow to a next destination inaccordance with switch operations as presently understood by one ofordinary skill in the art. In an embodiment, the next destination may bea network address or a another device otherwise connected to the networkapparatus. By increasing the availability of services by distributingthe services throughout the network, scalability issues related toalternate solutions to satisfy increased demand for applications andservices, are addressed.

[0034]FIG. 1A displays four exemplary modes and correspondingillustrative examples of operation for the network apparatus or devicepresented herein, wherein such modes are provided for illustration andnot limitation. The first mode shown in FIG. 1A can be utilized for, asan example, a firewall application, wherein data flows can be receivedby the network apparatus and processed in what can otherwise be known asa “pass or drop” scenario. In such applications, the network apparatuscan accept data flows from one interface and either pass the flow to adestination using a second interface according to permissions providedby the firewall, or the data flow may be dropped (i.e., not forwarded tothe destination). In the second scenario of FIG. 1A, labeled “modify,source, and send,” a data flow received by the network apparatus can bereceived by a first interface, modified, and forwarded via a secondinterface to a destination. An example embodiment of the second scenarioincludes content insertion. In the third scenario of FIG. 1A, thenetwork apparatus can function as a proxy wherein data flows can bereceived, processed, and returned at a first data interface, andsimilarly, data flows received from a second data interface can beprocessed and returned via the second interface, wherein the respectivedata flows can be dependent or otherwise related. Sample embodiments ofthe third scenario of FIG. 1A include transaction services and protocoltranslation. In the fourth sample embodiment of FIG. 1A, the networkapparatus can be utilized for applications including, for example, VOIPconferencing, content insertion, and application caching, wherein dataflows can be received at a first interface, processed, and returned viathe first interface.

[0035]FIG. 1B provides another illustration of the network apparatus anddemonstrates a data flow for an edge-based firewall embodiment 200incorporating the network apparatus according to the methods and systemsdisclosed herein. In the illustration, data flows in the form ofinternet requests from a subscriber to Internet Service Provider (ISP) A202 and a subscriber to ISP B 204 are input to a Digital Subscriber LineAccess Multiplexer (DSLAM) 206 and thereafter forwarded to anAsynchronous Transfer Mode (ATM) switch 208 within an ISP A-relatedSuper-POP, that aggregates the flows and forwards the flows to a router210. The router 210 directs the data flow traffic to the network deviceor apparatus 12 that recognizes the flows from the respective ISPsubscribers 202, 204 and applies respective firewall policies. In theillustrated embodiment, ISPs A and B are subscribers to the networkapparatus 12 and in accordance therewith, provide profiles andapplications/services in accordance with such profiles for distributionand processing by the apparatus in conformance with the profiles. In theillustrated embodiment, applications in addition to the respectivefirewall policies, for example, can be applied to the respective dataflows. After the respective processing is performed by the networkapparatus 12, in the illustrated embodiment, the data flow from the ISPA subscriber 202 is forwarded to the internet 212 with the applicationsapplied to the data, while the data flow from the ISP B subscriber 204is forwarded to ISP B 214 with the policy applied to the data.

[0036] The network apparatus 12 can also recognize data as not otherwisebelonging to a subscriber and therefore not eligible for applicationsprocessing, wherein such data can be switched to a destination inaccordance with a switch presently known to one of ordinary skill in theart. Those with ordinary skill in the art will also recognize thatalthough this disclosure presents the apparatus connected within thenetwork known as the internet, the internet application is presented forillustration and not limitation. In an embodiment wherein the apparatusis used with a communications system such as the internet, the apparatuscan be connected at the front-end of a server network, or alternately,between routers that connect networks, although the apparatus disclosedherein is not limited to such embodiments.

[0037]FIG. 2 shows another illustrative block diagram 10 of the networkapparatus 12 that can host applications and connect into and throughoutthe infrastructure of a network such as the internet, therebydistributing the hosted applications and/or services accordinglythroughout the network. Those with ordinary skill in the art willrecognize that the FIG. 2 illustration is intended to facilitate thedisclosure of the invention and is not intended as a limitation of theinvention. As indicated by FIG. 2, the illustrated apparatus 12 includestwo Network Processor Module (NPMs) 14 that facilitate the flow ofnetwork into and out of the network apparatus 12 by independentlymaintaining, in the illustrated embodiment, two Gigabit Ethernetconnections. Those with ordinary skill with recognize that GigabitEthernet connections are merely one high-speed data link, and other suchdata links can be substituted without departing from the scope of theinvention. In an embodiment where the apparatus 12 is inserted in-lineon a trunk connecting subscribers to the internet core, for example, theGigabit Ethernet connections can optionally interface to a subscribernetwork 16 and the internet core 18. Those with ordinary skill in theart will recognize that in another embodiment, a single NPM can beutilized, and the two Gigabit Ethernet connections can connect to twodifferent networks, for example. Additionally, those with skill in theart will recognize that for the illustrated system, the apparatus 12 canutilize a single bi-directional interface to connect to the subscribernetwork 16 and internet core 18. The FIG. 2 NPMs 14 connect via anEthernet through a cross-connect 20 to at least one Flow ProcessorModules (FPMs) 22 that apply applications and services to data flows,and to at least one Control Processor Module (CPM) 24 that can processdata flow requests and collect health and maintenance information fromthe NPMs 14 and FPMs 22.

[0038] Each illustrated NPM 14, FPM 22, and CPM 24 also connect to ahigh-speed switching fabric that interconnects all modules and allowsinternal packet forwarding of data flows between the NPM 14, FPM 22, andCPM 24 modules. The CPM 24 similarly independently connects to the FPMs22 and NPMs 14 in the representative embodiment by a 100Base-T EthernetControl Bus 26 that can be dual redundant internal switched 100Mbyte/second Ethernet control planes. The illustrated CPMs 24 alsoconnect to a Management Server (MS) module 28 by a 100Base-T Ethernet,to a local memory device 30, and to a Data Center 32 through a GigabitEthernet connection. The MS module 28 allows for data collection,application loading, and application deleting from the FPMs 22, whilethe local memory device 30 and Data Center 32 can store data related toapplications or profile information. In the illustrated system of FIG.2, there are two NPMs 14, at least two CPMs 24, and ten FPMs 22,although such a system is merely illustrative, and those with ordinaryskill in the art will recognize that fewer or greater numbers of thesecomponents may be utilized without departing from the scope of theinvention. In the illustrated system of FIG. 2, the two NPMs can operatein complementary or redundant configurations, while the two CPMs can beconfigured for redundancy.

[0039] As indicated, using an architecture according to the principlesillustrated, the apparatus 12 may be placed within the normal scheme ofa network such as the internet, wherein the apparatus 12 may be located,for example, at the front-end of a server network, or alternately andadditionally, between routers that connect networks. Using firmwareand/or software configured for the apparatus modules, the apparatus 12can be configured to provide applications to subscribers, wherein theapplications can include virus detection, intrusion detection,firewalls, content filtering, privacy protection, and policy-basedbrowsing, although these applications are merely an illustration and arenot intended as a limitation of the invention herein. In one embodiment,the NPMs 14 can receive data packets or flows and process such packetsentirely before forwarding the packets to the appropriate destination.In the same embodiment, the NPMs 14 can receive and forward the packetsto an appropriate destination. Also in the same embodiment, the NPMs 14can recognize data packets that require processing that can be performedby applications residing on the FPMs 22; and in these instances, theNPMs 14 can perform flow scheduling to determine which FPM 22 canappropriately and most efficiently process the data, wherein the datapackets or flow can then be forwarded to the selected FPM 22 forprocessing. In an embodiment, not all FPMs 22 can process all types ofprocessing requests or data packets. Additionally, to process a datarequest, in some instances, a FPM 22 can require information from thelocal memory device 30 or the remote memory device 32, wherein the NPM14 can direct the retrieval of storage data through the CPM 24 andthereafter forward the storage data to the FPM 22. An FPM 22 canthereafter transfer processed data to the NPM 14 for forwarding to anappropriate destination. With the apparatus 12 architecture such as thatprovided by FIGS. 1 and 3, application service providers can moreefficiently provide services to subscribers by integrating and makingavailable services throughout a network such as the internet, ratherthan at a single location that is often designated as a single IPaddress.

[0040]FIG. 3A shows a schematic of data flow through the apparatus 12 ofFIG. 1. As FIG. 3A indicates, NPMs 14 may provide an interface betweenthe subscriber interface and the network core. The FIG. 3A NPM 14 canreceive data from a first interface 14 a, and depending on the datarequest, can process the data and transmit the processed data usingeither the first interface 14 a or the second interface 14 b.Alternately, the NPM 14 can forward the received data to a FPM 22 thatcan thereafter return the processed data to the NPM 14 for transmissionor forwarding using either the first interface 14 a or the secondinterface 14 b.

[0041] Similarly, the NPM 14 can receive data from the second interface14 b, process the data, and transmit the processed data using either thefirst interface 14 a or the second interface 14 b.

[0042] Additionally, data received by the NPM 14 through the secondinterface 14 b can be forwarded to the FPMs 22 for processing, whereinthe FPMs 22 can return the processed data to the NPM 14 for transmissionthrough either the first interface 14 a or the second interface 14 b. Inanother example, data received by the NPM 14 can be processed bymultiple FPMs 22, wherein the data can be forwarded to the multiple FPMs22 through the NPM 14, and returned to the NPM 14 for forwarding to adestination.

[0043] In an embodiment wherein two NPMs are configured forcomplementary operation, data received at a first NPM can be processedby the first NPM, transmitted to a second NPM, and forwarded by thesecond NPM to a destination. Alternately, data received at the first NPMcan be forwarded to the second NPM, processed, and forwarded to adestination accordingly. In yet other scenarios, data received at eitherof the two NPMs can be forwarded to any of the FPMs 22, processed, andreturned to either of the NPMs for forwarding to a destination. Thosewith ordinary skill in the art will recognize that the examples of datamovement and processing entering, within, and exiting the apparatus 10are merely for illustration and not limitation, and references to thefirst NPM and second NPM in the complementary embodiment can beexchanged, for example, without departing from the scope of theinvention.

[0044]FIG. 3B shows the system of FIGS. 2 and 3A configured to operatein accordance with a Storage Area Network (SAN) as is commonly known inthe art. In the configuration of FIG. 3B, the NPM 14 and FPM 22integration as indicated in FIG. 3A is preserved, however, the NPM 14and FPM 22 also maintain interfaces to one or more storage devices 23that can be any storage device commonly known in the art, including butnot limited to RAM, ROM, diskettes, disk drives, ZIP drives, RAIDsystems, holographic storage, etc., and such examples are provided forillustration and not limitation. As FIG. 3B indicates, data can bereceived at the NPM 14 and transferred directly to the storage devices23; or, data received by the NPM 14 can be forwarded to one or more FPMs22 before being forwarded by the FPMs 22 to the storage devices 23,wherein the FPMs 22 can perform processing on the data before forwardingthe data to storage 23. Similarly, in the FIG. 3B configuration, datacan be retrieved from storage 23 by either the NPM 14 or FPMs 22. In theFIG. 3B configuration, the NPM 14 and FPMs 22 maintain externalinterfaces that can accommodate data input and output.

[0045]FIG. 4 illustrates an alternate representation of the FIG. 2system that implements a dual redundant architecture. In the FIG. 4embodiment of a redundant architecture, there are two NPMs 14 a, 14 b,two CPMs 24 a, 24 b, and ten FPMs 22a-22n that reside in a fourteen rackchassis. In the FIG. 4 system, eight FPMs 22 are provided for typicalapparatus 12 operation, with two FPMs 22 provided as alternates in thecase of failure of up to two of the operational eight FPMs 22. As FIG. 4indicates, redundant internal switched 100 Mbyte/second (100Base-T)Ethernet control planes 170 a, 170 b, provide connections between eachof the NPMs 14 a, 14 b, CPMs 24 a, 24 b, and FPMs 22 a-22 n. Theillustrated LA system also includes dual fabric links 172 a, 172 b,wherein each FPM 22 a-22 n and CPM 24 a, 24 b connect to each fabriclink 172 a, 172 b, while the first NPM 14 a connects to the first fabriclink 172 b, and the second NPM 14 b connects to the second fabric link172 b to allow each NPM 14 a, 14 b to operate independently of theother.

[0046] Additionally, as indicated in FIG. 4, the FIG. 4 NPMs 14 a, 14 bmaintain two Gigabit Ethernet connections to the network, wherein one ofthe connections can be to a subscriber including a subscriber network,etc., while the other connection can be to the internet core.Alternately, the illustrated CPMs 24 a, 24 b maintain a Gigabit Ethernetconnection to communicate with a remote storage device illustrated asthe data center 32 of FIG. 2.

[0047]FIG. 5 shows a schematic block diagram of an illustrative NPM 14according to FIGS. 2 and 4. As indicated in FIGS. 2 and 4, according tothe invention, the apparatus or switch 12 can include one or more NPMs14, and when more than one NPM 14 is utilized, the NPMs 14 may beconfigured for redundant or complementary operation.

[0048] A NPM 14 can include a modular and optional subsystem illustratedin FIG. 5 as a network interface subsystem 40. This subsystem 40physically connects the switch 12 and a network, thereby providing adata flow between the switch 12 and the 14 network. The NPM 14 alsoincludes a Network Processor 42 that Is connects to the networkinterface subsystem 40. The Network Processor 42 can be, for example, anIQ2000 Network Processor, and those with ordinary skill in the art willrecognize this example as an illustration and not a limitation, whereinany like device performing the functions as described herein may besimilarly substituted. Additionally, a second processor can beco-located within the NPM architecture without departing from the scopeof the invention. In the case of the illustrated IQ2000 NetworkProcessor 42, the network interface system 40 can connect to ports A andB of the Network Processor 42 using a FOCUS bus, wherein such portsshall hereinafter be referred to as FOCUS ports A and B, and wherein tworemaining FOCUS ports labeled C and D are available on the NetworkProcessor 42.

[0049] The network interface subsystem 40 can be a changeable componentof the NPM architecture, wherein the different options can be differentPrinted Circuit Board (PCB) designs or pluggable option boards, however,those with ordinary skill in the art will recognize that such methods ofimplementing the network interface subsystem 40 are merely illustrativeand the invention herein is not limited to such techniques.

[0050] For example, FIGS. 6A through 6F provide various illustrativenetwork interface subsystem 40 options for the FIG. NPM 14. Referring toFIG. 6A, the two Gigabit Ethernet interfaces 50, 52 to the FIG. 5Network Processor 42 are supported through the Network Processor's 42two embedded Gigabit Ethernet Media Access Control devices (MACs). Inthe FIG. 6A embodiment of a network interface subsystem 40, the onlyexternal devices necessary for Gigabit Ethernet operation include theGigabit Ethernet physical layer device (PHY) 54 a, 54 b and opticalinterfaces 56 a, 56 b. In the illustrated embodiment, a first opticalinterface 56 a can couple to a subscriber's network equipment, while asecond optical interface 56 b can couple to the internet core.

[0051] Referring now to FIG. 6B, there is an illustrative configurationfor the FIG. 5 NPM 14 wherein FOCUS ports A and B can support up toeight 10/100 Ethernet ports through an external octal 10/100 MAC 60 a,60 b. In FIG. 6B, the two external eight port 10/100 MACs 60 a, 60 bcouple to the FOCUS ports and to two external eight port 10/100 PHYdevices 62 a, 62 b. The PHY devices respectively couple to eight RJ-45connections 64 a, 64 b. In the FIG. 6B configuration, one set of eightRJ-45 ports 64 a can be dedicated to the subscriber's network, while theremaining eight RJ-45 ports 64 b can couple to the internet core. In oneembodiment, the architecture of FIG. 6B can allow software or firmwareto configure the ports as independent data streams such that datareceived on a subscriber's port can be returned on a internet port.

[0052] Referring now to FIG. 6C, there is a network interface subsystem40 configuration for the illustrated NPM 14 of FIG. 5, wherein theswitch 12 can receive ATM cells with the cooperation of a Segmentationand Reassembly device (SAR) 70 a, 70 b connected to the A and B FOCUSports. In the configuration of FIG. 6C wherein OC-3c ATM operation isillustrated, four optical interfaces 72 a provide the subscriberinterface, while four optical interfaces 72 b provide the internet coreinterface. The respective subscriber and internet optical interfaces 72a, 72 b couple to a four port framer 76 a, 76 b that provides input to aTransmission SAR 70 a (TX, “to” the switch 12), or receives output froma Receiver SAR 70 b (RX, “from” the switch 12). In the illustratedconfiguration, the SARs 70 a, 70 b utilize a 32-bit SRAM 77 and a 64-bitSDRAM 78, although such an embodiment is merely for illustration. In theillustrated system of FIG. 6C, the SAR UTOPIA ports interface to theFOCUS A and B ports through a Field Programmable Gate Array (FPGA) 79.Those with ordinary skill in the art will recognize that the networkinterface subsystem of FIG. 6C, as with the other diagrams providedherein, is merely provided for illustration and not intended to limitthe scope of the invention; therefore, components may be otherwisesubstituted to perform the same functionality, wherein for example, asingle SAR capable of transmission and receiving may be substituted forthe two SARs 70 a, 70 b depicted in the illustration of FIG. 6C.

[0053] Referring now to FIG. 6D, there is a network interface subsystem40 configuration for the illustrated NPM 14 of FIG. 4, wherein OC-12cATM operation may be enabled. In the illustrated system, one OC-12coptical interface 80 a can couple to the subscribers, while a secondOC-12c optical interface 80 b can couple to the internet core. Incontrast to FIG. 6C, FIG. 5D illustrates only a two port framer 82 thatthereafter interfaces to the TX and RX SARs 84 a, 84 b, FPGA 86, and therespective FOCUS ports of the Network Processor 42.

[0054] Referring now to FIG. 6E, there is an OC-3C Packet Over SONET(POS) configuration for the network interface subsystem 40 of FIG. 5. Inthe illustrated configuration of FIG. 6E, four optical interfaces 90 acan interface to the subscriber, while four optical interfaces 90 b canbe dedicated to the internet core. The optical interfaces 90 a, 90 brespectively couple to a four port framer 92 a, 92 b that interfaces tothe A and B FOCUS ports through a FPGA 94. Those with ordinary skill inthe art will recognize that because PPP (Point-to-Point Protocol)encapsulated packets are inserted into the SONET Payload Envelope (SPE),all POS links are concatenated, and the FPGA 94 utilized in FIG. 6E maytherefore be similar to the FPGA 86 of FIG. 6D.

[0055] Referring to FIG. 6F, there is a configuration of the networkinterface subsystem 40 of FIG. 5 for a two port OC-12c POS application.In the illustrated system, one optical interface 100 a can couple to thesubscriber, and another 100 b can couple to the internet core. The FIG.6F optical interfaces 100 a, 100 b couple to a two port framer 102 thatinterfaces to a FPGA 104 for connection to the A and B FOCUS ports.

[0056] Referring back to FIG. 5, the illustrated Network Processor 42also connects to a CPU subsystem 110 that includes a MIPS processor 112such as a QED RM700A 400 MHz MIPS processor, a system controller/PCIbridge 114 such as the Galileo GT64120A system controller/PC bridge,local SDRAM 116, and a Programmable Logic Device (PLD) 118. In theillustrated system, the PLD 118 makes accessible the board specificcontrol registers and miscellaneous devices. As illustrated, the PLD 118is connected to a local high-speed bus on the GT64120A 114 with a localSDRAM 116, and acts as a buffer between the local high-speed bus 120 anda lower speed peripheral bus 122 that has boot PROM Flash 124 andnon-volatile RAM (NVRAM) 126 for semi-permanent storage of settings andparameters, and for providing a real-time clock for time of day anddate. The FIG. 5 PCI bus 127 connected to the PCI bridge also includestwo Fast Ethernet MACs 128 a, 128 b, such as the Intel GD82559ER 100Mbit MAC that includes an integrated PHY, to provide redundantconnections between the NPM 14 and CPM 24 via a primary and secondary100 Base-T Ethernet channel. The illustrated MACs 128 a, 128 b reside onthe PCI bus and perform Direct Memory Access (DMA) transfers between thePCI internal buffers and the defined buffer descriptors within the localMIPS memory 112. The MACs 128 a, 128 b can support an unlimited burstsize and can be limited by PCI bridge performance. In an embodiment,flow control can be utilized in a control plane application to avoidunnecessary packet loss. The illustrated GT64120A 114 allows the CPU 112and other local bus masters to access the PCI memory and/or devicebuses.

[0057] The FIG. 5 NPM 14 also includes a switch fabric subsystem 130that provides high-speed, non-blocking data connections between the NPM14 and the other modules within the switch 12. The connections includetwo links to another, redundant or complementary NPM 14 and a link toeach CPM 24. The illustrated NPM's 14 portion of the fabric includes twoFocus Connect devices 132 a, 132 b, wherein one Focus Connect device 132a is connected to the IQ2000 42 port C using a FOCUS Bus, while anotherFocus Connect device 132 b is connected to port D.

[0058] In the illustrated system, the ports on the sixteen bit FOCUS buson the Focus Connect devices 132 a, 132 b, with the exception of localport eight, are attached to a Cypress Quad Hotlink Gigabit transceiver134 that is a serial to deserial (SerDes) device 136 having dualredundant I/O capabilities and configured for dual channel bonded mode.The dual channel bonded mode couples two channels together in asixteen-bit channel, wherein there can be two such sixteen-bit channelsper device. Referring now FIG. 7, the dual redundant serial I/Ocapabilities, in cooperation with a crossover on the backplane, allowany slot to be connected to any other slot such that a packet or a dataroute vector modification is not necessary when only one NPM 14 ispresent. The FIG. 5 Serdes devices 136 convert incoming serial streamdata from the backplane, to parallel data for forwarding to the FocusConnect devices 132 a, 132 b. Similarly, the Serdes 136 convertsparallel data from the Focus Connect device 132 a, 132 b to serial databefore placing the data on the backplane.

[0059] For example, with the illustrated system of FIG. 4 a FocusConnect device 132 a, 132 b is connected to the IQ2000 FOCUS C and Dports and wherein the Focus Connect devices 132 a, 132 b maintain eightports each, in the illustrative system wherein there is a fourteen slotchassis and there are ten slots for FPMs 22 a-22 n, two slots for NPMs14 a, 14 b, and two slots for CPMs 24 a, 24 b, the Focus Connect deviceports can be configured as shown in Tables 1 and 2: TABLE 1 FocusConnect device connected to IQ2000 FOCUS Port C (132a) Focus ConnectPort Connected Module 1 FPM, slot 1 2 FPM, slot 2 3 FPM, slot 3 4 FPM,slot 4 5 FPM, slot 5 6 CPM, slot 1 7 Other NPM, Focus Connect Port D 8Local IQ2000, Port C

[0060] TABLE 2 Focus Connect device connected to IQ2000 FOCUS Port D(132b) Focus Connect Port Connected Module 1 FPM, slot 6 2 FPM, slot 7 3FPM, slot 8 4 FPM, slot 9 5 FPM, slot 10 6 CPM, slot 2 7 Other NPM,Focus Connect on Port C 8 Local IQ2000, Port D

[0061] As Tables 1 and 2 indicate, using the FIG. 4 NPM 14 in aredundant system as illustrated in FIGS. 1 and 3, the dual NPMs 14 a, 14b can access all FPMs 22 a-22 n and each CPM 24 a, 24 b, and vice-versa.

[0062] The fourth major subsystem of the FIG. 5 NPM 14 is a memorysubsystem 140. The FIG. 5 memory subsystem is a single RAMbus channelfor packet buffer storage and flow lookup table space. In theillustrated embodiment, the memory subsystem 140 includes a searchprocessor 142 and several content addressable memories 144, althoughthose with ordinary skill in the art will recognize that the inventionherein is not limited to the memory subsystem 140 or the componentsthereof.

[0063] Referring back to FIG. 5, data received by the NPM 14 can beforwarded to the IQ2000 42 that can include instructions for recognizingpackets or data flows. For example, CPU or processor instructions canimplement or otherwise utilize a hash table to identify services orprocessing for an identified packet or flow, wherein the packet or flowcan subsequently be forwarded to a FPM 22, for example, in accordancewith the service or processing. Alternately, unidentified packets can beforwarded to the MIPS 112 that can include instructions for identifyingthe packet or flow and associated processing or services. In anembodiment, packets unable to be identified by the MIPS 112 can beforwarded by the MIPS 112 to the CPM 24 that can also includeinstructions for identifying packets or flows. Identificationinformation from either the CPM 24 or MIPS 112 can be returned to theIQ2000 and the hash table can be updated accordingly with theidentification information.

[0064] Referring now to FIG. 8, there is a basic schematic block diagramof a FPM 22 for the system illustrated in FIGS. 1-3. In the embodimentof FIG. 8, the FPM 22 is based upon Intel's 440BX AGPset, with amajority of the FPM functionality similar to a personal computer (PC).The illustrated FPM 22 can therefore be viewed as having four mainsections that include a processor or CPU 120, a 440BX AGPset 122, aFOCUS interface, and peripherals. In the illustrated system of FIGS. 2and 4, the FPMs 22 are identically designed, although those withordinary skill in the art will recognize that the methods and systemsdisclosed herein may include differing FPM designs.

[0065] Referring to FIG. 8, the illustrated FPM 22 embodiment supports asingle socket 370 Intel Pentium III CPU 150 with a 100 Megahertzprocessor system bus (PSB), although such processor is merely forillustration and not limitation, and those with ordinary skill in theart will recognize that the invention disclosed herein is not limited bythe CPU selection or processor component. Similarly, those with ordinaryskill in the art will recognize that multiple processors 150 can beincorporated within the FPM architecture without departing from thescope of the invention. The representative FPM 22 also includes a 440BXAccelerated Graphics Port (AGPset) 152 that provides host/processorsupport for the CPU 150.

[0066] Data packets moving into and out of the FPM 22 in the illustratedsystem use a 16-bit wide 100 Megahertz bus called the FOCUS bus, and inthe illustrated embodiment, a full-duplex FOCUS bus attaches to everyFPM 22 from each NPM 14, wherein in the illustrated embodiment of dualredundant NPMs 14 a, 14 b, every FPM 22 communicates with two NPMs 14 a,14 b. As indicated previously, the FOCUS bus signal is serialized on theNPM 14 a, 14 b before it is placed on the backplane, to improve signalintegrity and reduce the number of traces. As illustrated, deserializers154 a, 154 b on the FPM 22 convert the signal from the backplane to abus and the bus connects the deserializers 154 a, 154 b to a FocusConnect 156 that interfaces through a FPGA 158 and Input OutputProcessor 160 to the 440BX AGPset 152. The illustrated PRC is aneight-way FOCUS switch that allows the FPM 22 to properly direct packetsto the correct NPM 14.

[0067] The FIG. 8 FPM 22 also maintains peripherals including controlplane interfaces, mass storage devices, and serial interfaces. In theillustrated FPM 22, the control plane provides a dedicated path forcommunicating with the FPM 22 through two fast Ethernet controllers 130a, 130 b that interface the AGP 152 to the redundant control plane. Asindicated in FIGS. 2 and 4, it is typically the CPM 24 a, 24 b thatcommunicates with the FPM 22 via the control plane. In the illustratedembodiment, the fast Ethernet controllers 130 a, 130 b connect tocontrol planes that are switched 100 Megabits/second Ethernet networksthat terminate at the two CPMs 24.

[0068] The illustrated FPM 22 may also support different types of massstorage devices that can include, for example, a M-Systems DiskOnChip(DOC), a 2.5 inch disk drive, NVRAM for semi-permanent storage ofsettings and parameters, etc.

[0069] Referring now to FIG. 9, there is an illustration of a sample CPM24 as presented in the systems of FIG. 2 and 4. As indicated previously,the CPM 24 performs generic, switch-wide functions and is connected tothe other switch components through a data interface that, in theillustrated embodiment, is identical to the data interface of FIG. 7 forthe FPM 22. Those with ordinary skill in the art will recognize that thecommon data interfaces for the FPM 22 and CPM 24 modules are merely forconvenience and do not limit the scope of the invention.

[0070] As discussed earlier, in the illustrated embodiment, the controlplanes terminate at a CPM 24, wherein the illustrative control planesare dual redundant, private, switched 100 Megabit Ethernet. Theswitching elements are housed on the CPM 24, and therefore allpoint-to-point connections between other modules and a CPM 24 aremaintained through the backplane connector.

[0071] Additionally, the CPM 24 controls the switch 12 boot process andmanages the removal and insertion of modules into the switch 12 whilethe switch 12 is operational.

[0072] In the illustrated CPM 24 of FIG. 9, the main CPU 170 is aPentium III processor, although the invention herein is not so limited,and any processor or CPU or device capable of performing the functionsdescribed herein may be substituted without departing from the scope ofthe invention, wherein multiple processors or CPUs may additionally beutilized. In the illustrated CPM 24, a 440BX Accelerated Graphics Port(AGPset) 172 provides host/processor support for the CPU 170. The FIG. 9AGP 172 supports a PCI interface to connect to miscellaneous hardwaredevices.

[0073] Three fast Ethernet controllers 174 a, 174 b, 174 c also resideon the PCI bus of the 440 BX 172. One of these three fast Ethernetcontrollers 174 a provides external communications and multiplexes withthe fast Ethernet on the other CPM 24. The other two fast Ethernetcontrollers 174 b, 174 c provide dedicated communications paths to theNPMs 14 and FPMs 22. In the illustrated system of FIG. 9, the fastEthernet controller is an Intel 82559ER, fully integrated10BASE-T/100BASE-TX LAN solution combining the MAC and PHY into a singlecomponent, although such embodiment is merely provided as anillustration. In the illustrated system, the fast Ethernet controllers174 b, 174 cinterface to an Ethernet switch 176 that provides fourteendedicated communication paths to the control plane for up to ten FPMs 22and two NPMs 14.

[0074] Data packets move into and out of the illustrated CPM 24 using asixteen-bit wide 100 MHz FOCUS bus. In the illustrated system, there isone full-duplex FOCUS bus coupling each CPM 24 to each NPM 14, whereinfor the illustrated system of FIGS. 2 and 4 having dual redundant NPMs14 a, 14 b, each CPM 24 couples to two NPMs 14 a, 14 b. Serdes devices178 a, 178 b convert incoming serial stream data from the backplane, toparallel data for forwarding to a Focus Connect device 180. Similarly,the Serdes 178 a, 178 b convert parallel data from the Focus Connect 180to serial data before placing it on the backplane. The illustrated FocusConnect 180 is a switch used by the CPM 24 to direct packets to thecorrect NPM 14. In the FIG. 9 system, packets are moved into and out ofthe CPU memory 182 through a FPGA 184 and Input Output Processor 186that interface the Focus Connect 180 to the AGP 172.

[0075] Referring again to the systems of FIGS. 2 and 4, the CPMs 24coordinate the different components of the switch, including the NPMsand FPMs, and similarly support access to a local storage device 30 thatcan also be referred to as a local memory device.

[0076] In one embodiment, the local storage device 30 can store images,configuration files, and databases for executing applications on theFPMs 22. For example, the local device 30 may store subscriber profilesthat can be retrieved for use by either the NPM 14 or FPMs 22. In anembodiment, a configuration file for a particular application orsubscriber can be retrieved and copied to multiple FPMs 22, for example,thereby providing increased efficiency in a scenario wherein multiple,identically configured FPMs 22 are desired. In such an embodiment, FPMs22 may be grouped for a subscriber. The local storage device 30 can beany well-known memory component that may be removable or resident on theCPMs 24, including but not limited to a floppy disk, compact disc (CD),digital video device (DVD), etc. In the illustrated system, there is atleast one local storage device for each CPM 24. Similarly, in theillustrated system, the local storage device 30 can be divided intoseveral partitions to accommodate and protect certain processor's needs,including the processors on the various FPMs 22. In one embodiment, thelocal storage device 30 can include two identical disk partitions thatallow dynamic software upgrades. In an embodiment, two disk partitionscan include identical groups of partitions that can include swappartitions, common partitions for use by all processors, and specificpartitions for different module processors (i.e., NPMs, FPMs, CPMs).

[0077] The illustrated CPMs 24 can also access a remote storage device32, wherein such remote storage can store services, database, etc., thatmay not be efficiently stored in the local memory device 30. The remotestorage device 32 can be any compilation of memory components that canbe physically or logically partitioned depending upon the application,and those with ordinary skill in the art will recognize that theinvention herein is not limited by the actual memory components utilizedto create the remote storage device 32.

[0078] The FIG. 2 CPMs 24 also couple to at least one management server(MS) module 28. In the illustrated embodiment, the connection is a100Base-T Ethernet connection. In the FIG. 2 system, the MS 28 canreceive and aggregate health and status information from the switchmodules 14, 22, 24, wherein the health and status information may beprovided to the MS 28 through the CPMs 24. In an embodiment wherein NPMs14, FPMs 22, and CPMs 24 are redundantly provided, for example, the MS28 can activate or inactivate a particular apparatus 12 module. In theillustrated embodiments, the MS 28 communicates with the apparatus 12modules through the CPM 24. In an embodiment, the MS 28 may be a PC, SunWorkstation, or other similarly operational microprocessor controlleddevice, that can be equipped with microprocessor executable instructionsfor monitoring and controlling the apparatus 12 modules. In anembodiment, the MS 38 can include an executable that provides agraphical user interface (GUI) for display of apparatus 12 monitoringand control information. In one embodiment, the MS 38 can be a separatedevice from the CPM 24, while in another embodiment, the MS 28functionality can be incorporated into the CPM 24, for example, byutilizing a separate processor on the CPM 24 for MS 38 functionality.

[0079] In an embodiment, the well-known Linux operating system can beinstalled on the FPM 22 and CPM 24 processors, thereby providing an openarchitecture that allows installation and modification of, for example,applications residing on the FPMs 22. In the illustrated systems, themanagement and control of applications on the switch modules can beperformed using the MS 28. In the illustrated embodiments, the MS 28management can be performed using the CPM 24. Applications such asfirewall applications, etc., in the illustrated embodiments cantherefore be downloaded, removed, modified, transferred between FPMs 22,etc. using the MS 28.

[0080] In an embodiment, the NPMs 14 can execute the well-known Vxworksoperating system on the MIPS processor and a small executable on theIQ2000 processor 42. Those with ordinary skill in the art will recognizethat the methods and systems disclosed herein are not limited to thechoice of operating systems on the various switch modules, and that anyoperating system allowing an open architecture can be substituted whileremaining within the scope of the invention.

[0081] One advantage of the present invention over the prior art is thata switch architecture is disclosed with multiple processor moduleshaving an open architecture wherein applications may be distributed toand throughout the multiple processors for efficient servicing byapplications throughout a network, and wherein a distinct processormodule can interface to the network and appropriately direct data fromthe network, to one of the multiple processor modules in part as afunction of the multiple processor processing loads, and hence returnthe processed data to the network.

[0082] What has thus been described are an apparatus and method todistribute applications and services in and throughout a network. Theapparatus includes the functionality of a switch with the ability toapply applications and services to received data according to respectivesubscriber profiles. Front-end processors, or Network Processor Modules(NPMs), receive and recognize data flows from subscribers, extractprofile information for the respective subscribers, utilize flowscheduling techniques to forward the data to applications processors, orFlow Processor Modules (FPMs). The FPMs utilize resident applications toprocess data received from the NPMs. A Control Processor Module (CPM)facilitates applications processing and maintains connections to theNPMs, FPMs, local and remote storage devices, and a Management Server(MS) module that can monitor the health and maintenance of the variousmodules. In an embodiment, the MS can download and otherwise controlapplications on the FPMs that execute the Linux operating system toprovide an open architecture for downloading, executing, modifying, andotherwise managing applications.

[0083] Although the present invention has been described relative to aspecific embodiment thereof, it is not so limited. Obviously manymodifications and variations of the present invention may becomeapparent in light of the above teachings. For example, although theillustrated systems divided the modules into various components, thefunctionality of components may be combined into a single module whereappropriate, without affecting the invention. For example, themanagement server module may be incorporated in the control processormodule. Additionally, the processors and supporting components of thedifferent modules may be replaced with other, similarly functioningcomponents. In some embodiments, additional supporting components may bedesired, while in other embodiments, some of the illustrated supportingcomponents can be omitted. The connections between components, althoughin the illustrated embodiments include Ethernet connections, may includewired or wireless Ethernet, for example, or may include any combinationof communicative channel and protocol, wherein examples of wired orwireless communicative channels may be bus configurations, cabling,infrared, spread spectrum, or other communicative channels orconnections, and examples of protocols may include pseudo noisemodulation, Frame Relay, Asynchronous Transfer Mode (ATM), etc., whereinsuch combinations of communicative channel and protocol may herein bedescribed and defined as electrical connections. Although theillustrated systems utilized Gigabit Ethernet connections, 100Base T,etc., any other high-speed data link can be substituted therein withoutdeparting from the scope of the invention.

[0084] Many additional changes in the details, materials, steps andarrangement of parts, herein described and illustrated to explain thenature of the invention, may be made by those skilled in the art withinthe principle and scope of the invention. Accordingly, it will beunderstood that the invention is not to be limited to the embodimentsdisclosed herein, may be practiced otherwise than specificallydescribed, and is to be understood from the following claims, that areto be interpreted as broadly as allowed under the law.

What is claimed is:
 1. A network apparatus, comprising, at least oneflow processor module having at least one processor and at least onememory for storing applications for execution by the at least oneprocessor, at least one network processor module having at least oneprocessor, at least one interface to receive data from and transmit datato the network, and instructions to cause the at least one processor torecognize a data request for processing by the applications in the flowprocessor module memories, and to forward the data request to a flowprocessor module capable of processing the data according to the datarequest, and, at least one control processor module in communicationwith the flow processor modules and the network processor modules, andhaving at least one processor, and instructions for causing the at leastone processor to manage the applications in the flow processor modulememories.
 2. A network apparatus according to claim 1, wherein thecontrol processor module instructions for causing the at least oneprocessor to manage the applications in the flow processor modulememories further include instructions to cause the control processormodule to perform at least one of, downloading applications to the flowprocessor module memories, and deleting applications from the flowprocessor module memories.
 3. A network apparatus according to claim 1,further comprising a management server module in communication with thecontrol processor module and having at least one processor.
 4. A networkapparatus according to claim 3, wherein the management server modulefurther includes instructions for causing the at least one managementserver processor to cause the control processor module to perform atleast one of, downloading applications from the management server moduleto the flow processor module memories, and deleting applications fromthe flow processor module memories.
 5. A network apparatus according toclaim 1, further comprising a local memory device coupled to the controlprocessor module.
 6. A network apparatus according to claim 1, furthercomprising a remote memory device coupled to the control processormodule.
 7. A network apparatus according to claim 1, wherein the controlprocessor module further includes instructions to cause the at least onecontrol processor module processor to transfer data between a managementserver module and the flow processor modules.
 8. A network apparatusaccording to claim 1, further comprising at least one storage devicecoupled to the at least one flow processor module.
 9. A networkapparatus according to claim 1, further comprising at least one storagedevice coupled to the at least one network processor module.
 10. Anetwork apparatus, comprising, at least one flow processor module,having, at least one processor, and at least one memory to storeapplications f or execution by the at least one processor, and, a firstnetwork processor module having at least one processor, at least oneinterface to receive data from and transmit data to the network, andinstructions to cause the at least one processor to recognize a datarequest for processing by the applications in the flow processor modulememories, and to forward the data request to a flow processor modulecapable of processing the data according to the data request, and, afirst control processor module in communication with the first networkprocessor module and the flow processor modules, and having, at leastone processor, and, instructions for causing the at least one processorto manage the applications in the flow processor module memories.
 11. Anetwork apparatus according to claim 10, further comprising, amanagement server module in communication with the control processormodule, and having at least one processor with instructions to managethe applications on the flow processor modules.
 12. A network apparatusaccording to claim 10, further comprising a first control plane tocouple the first network processor module, the flow processor modules,and the first control processor module.
 13. A network apparatusaccording to claim 10, further comprising a distinct second controlplane to couple the first network processor module, the flow processormodules, and the first control processor module.
 14. A network apparatusaccording to claim 13, further comprising, a distinct second networkprocessor module coupled to the first control plane and the secondcontrol plane, and having at least one processor, at least one interfaceto receive data from and transmit data to the network, and instructionsto cause the processor to recognize a data request for processing by theapplications in the flow processor module memories, and to forward thedata request to a flow processor module capable of processing the dataaccording to the data request, a distinct second control processormodule coupled to the first control plane, the distinct second controlplane, and the management server module, and having at least oneprocessor.
 15. A network apparatus according to claim 10, furthercomprising a local memory device that is coupled to the first controlprocessor module.
 16. A network apparatus according to claim 14, furthercomprising a local memory device that is coupled to the first controlprocessor module and the second control processor module.
 17. A networkapparatus according to claim 10, further comprising a remote memorydevice that is coupled to the first control processor module.
 18. Anetwork apparatus according to claim 17, further comprising a high speeddata link to couple the remote memory device to the first controlprocessor module.
 19. A network apparatus according to claim 14, furthercomprising a remote memory device that is coupled to the first controlprocessor module and the second control processor module.
 20. A networkapparatus according to claim 19, further comprising a high speed datalink to couple the remote memory device to the first control processormodule and the second control processor module.
 21. A network apparatusaccording to claim 11, further comprising a high speed data link tocouple the management server module to the first control processormodule.
 22. A network apparatus according to claim 14, furthercomprising, a management server module in communication with the controlprocessor module, and having a processor with instructions to manage theapplications on the flow processor modules, and, a high speed data linkto couple the management server module to the first control processormodule and the second control processor module.
 23. A network apparatusaccording to claim 11, wherein the management server module furthercomprises a processor and instructions for causing the processor totransmit and receive data from the first control processor module.
 24. Anetwork apparatus according to claim 11, wherein the management servermodule is a personal computer.
 25. A network apparatus according toclaim 11, wherein the management server module further includesinstructions to receive health and maintenance data from the firstnetwork processor module, the flow processor modules, and the firstcontrol processor module.
 26. A method for distributing applications ina network, comprising, receiving data from the network at a networkdevice, identifying at least one application to apply to the data,processing the data according to the identified applications, and,forwarding the processed data from the network device.
 27. A methodaccording to claim 26, further comprising applying policy to the data.28. A method according to claim 26, wherein identifying at least oneapplication further comprises utilizing a hash table to associate thedata to at least one application.
 29. A method according to claim 26,wherein identifying at least one application further comprises,associating a subscriber profile with the data, and, selecting at leastone application based on the subscriber profile.
 30. A method accordingto claim 26, wherein processing the data according to the identifiedapplications further comprises directing the data to at least oneprocessor for executing the identified applications.
 31. A methodaccording to claim 30, further including configuring the processors forthe identified applications.
 32. A method according to claim 26, furtherincluding selecting at least one processor based on the applications.33. A method according to claim 26, further including selecting at leastone processor based on processor loading.
 34. A method according toclaim 26, further including selecting at least one processor based onapplying a policy to the data.
 35. A method according to claim 26,wherein identifying at least one application to apply to the datafurther comprises, identifying the data source, and, retrieving anapplication profile based on the data source.
 36. A method according toclaim 26, wherein forwarding the processed data from the network devicefurther includes, forwarding the processed data to the network.
 37. Amethod according to claim 26, wherein forwarding the processed data fromthe network device includes forwarding the processed data to a storagedevice.
 38. A method according to claim 26, further includingdetermining a destination to forward the processed data.
 39. A methodaccording to claim 26, further comprising providing applications toprocessors at the network device.
 40. A method according to claim 39,wherein providing applications to processors at the network devicefurther includes downloading applications to processors from at leastone of a remote processor and storage device.
 41. A method for managingapplications on a network apparatus, comprising, providing at least oneflow processor module having at least one processor and at least onememory for storing applications, providing at least one networkprocessor module connected to the flow processor module, having at leastone processor and instructions for, recognizing a data request forprocessing by the applications on the flow processor modules, and,transferring data requests to flow processor modules capable ofprocessing the data request, and, connecting a control processor moduleto the flow processor module and the network processor, the controlprocessor module in communication with the flow processor module and thenetwork processor module, and having at least one processor andinstructions for causing the processor to perform at least one of,deleting applications from the flow processor modules, and, storingapplications to the flow processor modules.
 42. A method according toclaim 41, further comprising, providing a management server module incommunications with the control processor module, the management servermodule having a processor and instructions for controlling theapplications on the flow processor modules.
 43. A method according toclaim 41, wherein providing at least one network processor modulefurther includes providing processor instructions for, receiving datafrom the network, processing data from the network, receiving processeddata from the flow processor modules, and, transferring the processeddata to a network destination.
 44. A method according to claim 41,providing at least one network processor module further includesproviding processor instructions for forwarding received data to anetwork destination.
 45. A method according to claim 41, whereinconnecting a control processor module further includes providinginstructions for causing the processor to perform processing of datarequests from the network processor module.